b'Report No. DODIG-2012-116       August 7, 2012\n\n\n\n\n    External Quality Control Review of the\n    Defense Information Systems Agency\n              Audit Organization\n\x0cAdditional Information and Copies\nThe Department of Defense, Office of the Assistant Inspector General for Audit Policy and\nOversight, prepared this report. To obtain additional copies of the final report,\nvisit www.dodig.mil/audit/reports or contact the Office of the Assistant Inspector General for\nAudit Policy and Oversight at (703) 604-8760 or fax (571) 372-7454.\n\nSuggestions for Reviews\nTo suggest or request reviews, contact the Office of the Assistant Inspector General for Audit\nPolicy and Oversight by phone (703) 604-8760 (DSN 664-8760), by fax\n(571) 372-7454, or by mail:\n\n                      Department of Defense Inspector General\n                      OIG-APO\n                      ATTN: Suite 11D28\n                      4800 Mark Center Drive\n                      Alexandria, VA 22350-1500\n\n\n\n\nAcronyms and Abbreviations\n\nAIGA                          Assistant Inspector General for Auditing\nDISA                          Defense Information Systems Agency\nDITCO                         Defense Information Technology Contracting Organization\nGAGAS                         Generally Accepted Government Auditing Standards\nIG                            Inspector General\nIRR                           Independent Reference Review\nIUID                          Item Unique Identification\nMIPR                          Military Interdepartmental Purchase Request\n\x0c                                    INSPECTOR GENERAL\xc2\xb7\n                                     DEPARTMENT OF DEFENSE\n                                     4800 MARK CENTER DRIVE\n                                  ALEXANDRIA, VIRGINIA 22350-1500\n\n\n\n\n                                                                               AUG 7 2012\n\n\nMEMORANDUM FOR DIRECTOR, DEFENSE INFORMATION SYSTEMS AGENCY\n\nSUBJECT: External Quality Control Review of the Defense Information Systems Agency Audit\n         Organization (Report No. DODIG-2012-116)\n\nWe are providing this report for your information and use. We have reviewed the system of\nquality control for the audit organization of the Defense Information Systems Agency\nOffice of Inspector General (DISA IG) in effect for the period ended March 31 , 2011. A system\nof quality control for DISA\'s\n\n\n                 DISA IG is responsible for desig~g a system of quality control and complying\nwith its system to provide DISA IG management with reasonable assurance that its audits are\nperformed and reported on in accordance with GAGAS in all material respects.\n\nOur review was conducted in accordance with GAGAS and guidelines established by the\nCouncil of the Inspectors General on Integrity and Efficiency. We tested the DISA IG audit\norganization\'s system of quality control to the extent we considered appropriate .. GAGAS\nrequire that an audit organization performing audits in accordance with GAGAS have an\nappropriate internal quality control system in place and \xc2\xb7undergo an external quality control\nreview at least once every 3 years by reviewers independent of the audit organization being\nreviewed. An audit organization\'s\xc2\xb7quality control policies and procedures should be\nappropriately comprehensive and suitably designed to provide reasonable assurance that they\nmeet GAGAS requirements for quality control.\n\nFederal audit organizations can receive a rating ofpass, pass with deficiencies, or fail. In our\nopinion, the DISA IG audit organization\'s system of quality control for audits was suitably\ndesigned in accordance with quality standards established by GAGAS; however, we identified\nsignificant deficiencies that existed in the audit organization\'s compliance with its system of\nquality control. The significant deficiencies identified do not provide DISA IG management\nwith reasonable assurance of performing and reporting in conformity with GAGAS in all\nmaterial aspects. Accordingly, as a result of the significant deficiencies described in\nAppendix B, we are issuing a fail opinion on the DISA IG audit organization\'s system of quality\ncontrol used on audits for the review period ended March 31, 2011.\n\nAppendix A discusses our review of the DISA IG system of quality control and\nAppendix B contains matters that resulted in the fail opinion. In addition, Appendix C contains\ncomments and observations where the DISA IG audit organization can improve its quality\ncontrol program related to auditing practices. Appendix D contains a summary of the results of\nour interviews with DISA IG audit staff. Appendix E contains the scope and methodology of the\nreview.\n\x0c          (703) 604-8877 (DSN 664-8877).\n\n\n\n\n-fa~~(sto~r\nDeputy Inspector General\nfor Policy and Oversight\n\x0cIntroduction\nDefense Information Systems Agency\nThe Defense Information Systems Agency (DISA) is a combat support agency that engineers and\nprovides command and control capabilities and enterprise infrastructure to continuously operate\nand assure a global net-centric enterprise in direct support to joint warfighters, national level\nleaders, and other mission and coalition partners across the full spectrum of operations. DISA is\nheadquartered at Fort Meade, Maryland and employs about 16,000 military and civilian\nemployees, and their contractor partners.\n\nDISA IG Audit Organization\nThe DISA Office of the Inspector General (IG) is an independent office within DISA that\nconducts, supervises, monitors, and initiates audits, inspections, and investigations relating to\nprograms and operations of DISA. DISA Instruction 100-45-1, \xe2\x80\x9cInspector General of the\nDefense Information Systems Agency,\xe2\x80\x9d dated April 11, 2008, establishes the mission of the\nOffice of the Inspector General and delineates its responsibilities, functions, authorities, and\nrelationships. The DISA IG audit organization is located at Headquarters and has a regional\noffice at Scott Air Force Base in Illinois. The audit organization promotes continuous\nimprovement in management controls by conducting audits and reviews of DISA operations and\nfinancial activities to evaluate operational efficiency and effectiveness, and performing follow-\nup procedures for prior audit recommendations. The IG reports to the Director/Vice Director,\nDISA. Additional details on the DISA IG audit organization and the scope and methodology for\nthis review are contained at Appendix E.\n\n\n\n\n                                                1\n\x0cAppendix A. System of Quality Control Was\nSuitably Designed\nWith the exception of two areas, the system of quality control for the DISA IG audit organization\nwas suitably designed. The DISA IG Audit Handbook (the Audit Handbook) contained policies\nand procedures that established internal guidance and audit requirements, and if properly\nfollowed, would provide reasonable assurance that GAGAS would be met.\n\nThe DISA IG audit organization performed work and issued reports covered in our review\npursuant to the July 2007 version of the Audit Handbook. The Audit Handbook was updated in\nMarch 2011 to reflect current guidance as well as practical audit techniques and innovative\nstrategies.\n\nThe two areas where the Audit Handbook did not contain specific policies and procedures for\nensuring that audits and attestation engagements comply with GAGAS were:\n\n   \xe2\x80\xa2   The Audit Handbook did not contain procedures for notifying the entity management\n       when an impairment to independence is identified after the audit report is issued.\n\n   \xe2\x80\xa2   The Audit Handbook did not contain procedures to ensure that the continuing education\n       and training requirements for the agency\'s audit staff are met. Particularly, the Audit\n       Handbook did not contain policies and procedures on how the audit organization\n       documents and tracks formal continuing professional education and training.\n\nAdding policies and procedures to the Audit Handbook to address these two areas is important to\nensure auditors are fully aware of their responsibilities while performing work under GAGAS.\n\nRecommendation, Management Comments, and Our\nResponse\n\nRecommendation\nWe recommend that the Director, DISA:\n\n 1. Update the Audit Handbook to include policies and procedures that:\n\n       a. Explain the process for notifying the entity management when an impairment to\n          independence is identified after the audit report is issued.\n       b. Explain how the audit organization documents and tracks formal continuing\n          professional education and training.\n\nManagement Comments\nThe Inspector General, DISA concurred. DISA will update the Audit Handbook to include\nexplanations for the process for notifying the entity management when an impairment to\n\n\n                                               2\n\x0cindependence is identified after the audit report is issued and how the audit organization\ndocuments and tracks formal continuing professional education and training.\n\nOur Response\nThe management comments are responsive. When completed, we request the Inspector General,\nDISA, to provide us with a copy of the revised Audit Handbook.\n\n\n\n\n                                                 3\n\x0cAppendix B. Significant Deficiencies that Provide\nthe Basis for the Fail Opinion\nWe identified significant deficiencies that existed in the audit organization\xe2\x80\x99s compliance with its\nsystem of quality control. GAGAS 3.51 states that an audit organization\xe2\x80\x99s system of quality\ncontrol encompasses the audit organization\xe2\x80\x99s leadership, emphasis on performing high quality\nwork, and the audit organization\xe2\x80\x99s policies and procedures designed to provide reasonable\nassurance of complying with professional standards and applicable legal and regulatory\nrequirements. The significant deficiencies identified do not provide the DISA IG audit\norganization with reasonable assurance of performing and reporting in conformity with generally\naccepted government auditing standards (GAGAS) in all material respects. Therefore, we are\nissuing a fail opinion on their external quality control review.\n\nSignificant deficiencies affecting our opinion on the DISA IG audit organization\xe2\x80\x99s compliance\nwith its system of quality control are:\n\n   \xe2\x80\xa2   Annual quality assurance reviews were not always performed and those performed were\n       not effective;\n   \xe2\x80\xa2   Nonaudit services were performed without an evaluation of potential independence\n       impairments;\n   \xe2\x80\xa2   DISA did not exercise sufficient professional judgment as evidenced by substantive\n       noncompliance with GAGAS and their system of quality control on all four audit\n       assignments reviewed;\n   \xe2\x80\xa2   There was a lack of evidence of initial and final supervisory reviews of workpapers\n       significant to supporting findings and conclusions;\n   \xe2\x80\xa2   Auditors did not obtain sufficient and appropriate audit evidence to support findings and\n       conclusions; and\n   \xe2\x80\xa2   A letter report asserted a nonaudit service was conducted in accordance with GAGAS.\n\nThese significant deficiencies as identified above provide the basis for the opinion and our\nconcern about the audit organization\xe2\x80\x99s inability to comply with the DISA IG quality control\nsystem to provide reasonable assurance of compliance with GAGAS.\n\nImplementing the recommendations identified in this report would assist the DISA IG\xe2\x80\x99s efforts\nin improving their audit organization\xe2\x80\x99s system of quality control thereby helping to ensure\ncompliance with GAGAS requirements.\n\nQuality Assurance Program\nAnnual Quality Assurance Reviews Not Always Performed and Those\nPerformed Deemed Not Effective\nThe DISA IG audit organization did not meet GAGAS and Audit Handbook requirements to\nperform annual internal quality assurance reviews of their audits. Quality assurance reviews\nwere performed in November 2008 and February 2011, but there were no reviews conducted\n\n\n                                                 4\n\x0cduring 2010. The February 2011 review was performed in preparation of our review of the\nDISA IG audit operations being discussed in this report. 1 GAGAS 3.53f requires an audit\norganization to perform an ongoing, periodic assessment of work completed on audits and\nattestation engagements designed to provide management of the audit organization with\nreasonable assurance that the policies and procedures related to the system of quality control are\nsuitably designed and operating effectively in practice. GAGAS 3.54 states the audit\norganization should analyze and summarize the results of its monitoring procedures at least\nannually, with identification of any systemic issues needing improvement, along with\nrecommendations for corrective action. The Audit Handbook states the Branch Chief will\nperform annual internal quality assurance reviews of audits using guidance adapted from the\nPresident\xe2\x80\x99s Council on Integrity and Efficiency (PCIE) Guide for Conducting External Quality\nControl Reviews of the Audit Operations of Offices of Inspector General. 2\n\nAlso, the DISA IG quality assurance program was not implemented in a manner to have\nmaximum effectiveness. During our analysis of the quality assurance reviews that were\nperformed in November 2008 and February 2011, we found that some of the issues identified by\nDISA IG auditors were similar to those identified during this external quality control review\n(refer to sections below). We also concluded that some of the issues the DISA IG auditors\nidentified were not integral to ensure that audit policies and procedures related to the system of\nquality control were suitably designed and operating effectively in practice. In addition, the\naudit organization did not take measures to correct problems and practices that could help ensure\ncompliance with applicable professional standards and quality control policies and procedures\nfor GAGAS audits. Lastly, both reviews were completed by a senior auditor, even though the\nAudit Handbook states that Branch Chiefs will perform the annual reviews.\n\nNovember 2008 Quality Assurance Review\n\nThere were five audits included in the quality assurance review. The review identified systemic\nissues for all five audits; however, no recommendations were provided for corrective actions. To\naddress the issues identified, the Inspector General, Deputy Inspector General, Assistant\nInspector General for Auditing, and Branch Chiefs discussed each of the problem areas in some\ndetail to determine a course of action, but took measures only to improve the audit planning\nprocess, and held a meeting with all of the auditors to ensure the auditors fully understood the\nareas needing improvement.\n\nAlso, some of the issues identified by the DISA IG quality assurance reviewer were similar to\nthose identified during this external quality control review. For example, the DISA IG quality\nassurance reviewer noted that:\n\n      \xe2\x80\xa2    for three of the five projects, the audit plan was not updated to reflect changes made to\n           the plan during the audit;\n\n\n1\n    The February 2011 review was entitled \xe2\x80\x9cMock Peer Review\xe2\x80\x9d.\n2\n The Inspector General Reform Act of 2008 changed the PCIE and Executive Council on Integrity and Efficiency\n(ECIE) to the Council of Inspectors General on Integrity and Efficiency (CIGIE).\n\n\n                                                       5\n\x0c   \xe2\x80\xa2   for two of the five projects, the audit report did not include a description of the sampling\n       design and why it was chosen when sampling significantly supported the auditors\xe2\x80\x99\n       findings, conclusions, or recommendations; and\n   \xe2\x80\xa2   for one of the five projects, the audit report did not clearly explain the audit\xe2\x80\x99s scope.\n\nIn addition, we determined that part of the quality assurance review was conducted using\noutdated professional standards. Specifically, the review was performed using the 2003 version\nof GAGAS, even though one of the five audits began after January 1, 2008. The July 2007\nrevision of GAGAS superseded the 2003 revision and became effective for performance audits\nbeginning on or after January 1, 2008, and for financial audits for periods beginning on or after\nJanuary 1, 2008.\n\nFebruary 2011 Quality Assurance Review\n\nThere were three audits included in the quality assurance review. According to the DISA IG, the\nreview was performed in preparation of the DOD OIG external quality control review. Also, two\nof the three findings and recommendations the DISA IG presented were not vital to ensure\nthe audit organization was complying with its system of quality control and GAGAS. The\nfindings and recommendations would not provide reasonable assurance that the audit\norganization is following applicable auditing standards and has established and is following\nadequate audit policies and procedures. The DISA IG\xe2\x80\x99s findings were:\n\n   \xe2\x80\xa2   the Audit Handbook did not contain an organization chart, training matrix, or\n       hiring/training policies and procedures applicable to 511 series;\n   \xe2\x80\xa2   lack of electronic workpapers impeded the review and management control process of the\n       Mock Peer Review; and\n   \xe2\x80\xa2   some discrepancy between numbering of workpapers.\n\nFurthermore, of the three audits reviewed as part of the DISA IG\xe2\x80\x99s quality assurance review, one\nwas selected and examined by the DOD OIG as part of this external quality control review. It\nwas the Audit of Travel Vouchers Through the Defense Travel System. The DOD OIG review\nteam\xe2\x80\x99s assessment disclosed deficiencies that the DISA IG did not. Specifically, the deficiencies\nincluded:\n\n   \xe2\x80\xa2   the audit plan was not updated to reflect changes made to the plan during the audit;\n   \xe2\x80\xa2   the audit team did not develop the elements of a finding necessary to address the audit\n       objectives (did not perform procedures to identify the reason or explanation for a\n       condition that was identified);\n   \xe2\x80\xa2   a finding in the audit report was inadequate (the effect was not adequately stated);\n   \xe2\x80\xa2   the audit report did not clearly explain the audit\xe2\x80\x99s scope, including the kinds and sources\n       of evidence used;\n   \xe2\x80\xa2   the audit report did not clearly explain the criteria used; and\n   \xe2\x80\xa2   the independent reference review (IRR) certification for the final report was not signed\n       by the Assistant Inspector General for Auditing (AIGA).\n\n\n\n\n                                                 6\n\x0cRecommendation, Management Comments, and Our\nResponse\nRecommendation\nWe recommend that the Director, DISA:\n\n    2. Establish a 2-year plan for both audit offices to review audits for compliance with\n       internal quality assurance policies and procedures and GAGAS.\n\nManagement Comments\nThe Inspector General, DISA concurred. The DISA IG audit organization will conduct its\nannual quality assurance assessment in compliance with GAGAS and the revised Audit\nHandbook. Due to the small size of the Audit Division, an internal auditor will perform the\nquality assurance assessments, and the Audit Handbook will be updated to reflect this change.\n\nOur Response\nThe management comments are responsive. When completed, we request the Inspector General,\nDISA, to provide us with a copy of the revised Audit Handbook.\n\n\nNonaudit Services\nNonaudit Services Performed With No Evaluation of Potential\nIndependence Impairments\nDuring the period under review, the DISA IG audit organization performed three nonaudit\nservices and no formal documentation was prepared for evaluating potential independence\nimpairments for any of the nonaudit services. As a safeguard to ensuring that independence is\nnot impaired by performing a nonaudit service, GAGAS 3.30 states the audit organization should\ndocument its consideration of the nonaudit services, including its conclusions about the impact\non independence. The Audit Handbook states that documentation for nonaudit services must\ninclude evidence of analysis showing that the seven safeguards to independence were satisfied.\nThe seven safeguards are:\n\n     \xe2\x80\xa2   document rationale that providing the nonaudit service does not violate the two\n         overarching principles 3;\n     \xe2\x80\xa2   establish and document an understanding with the audited entity regarding the objectives,\n         scope of work, and product or deliverables of the nonaudit service, including an\n         understanding that management is responsible for the results of the service;\n\n\n3\n  The DISA IG Audit Handbook is referring to the two overarching principles which are identified in GAGAS 3.22\n(July 2007 Version of GAGAS). The two overarching principles are (1) audit organizations must not provide\nnonaudit services that involve performing management functions or making management decisions and (2) audit\norganizations must not audit their own work or provide nonaudit services in situations in which the nonaudit\nservices are significant or material to the subject matter of the audits.\n\n\n                                                       7\n\x0c   \xe2\x80\xa2   preclude personnel who perform nonaudit services from performing any related audit\n       work (can be waived if less than 40 hours of work is performed);\n   \xe2\x80\xa2   ensure that the scope and extent of audit work is not reduced beyond the level that would\n       be appropriate if another unrelated party performed the nonaudit work;\n   \xe2\x80\xa2   establish a quality control system that includes policies and procedures to consider the\n       effect on ongoing, planned, and future audits and require a documented understanding\n       with the audited entity management;\n   \xe2\x80\xa2   communicate to the audited entity management that the audit organization will not be\n       able to perform subsequent related audit work; and\n   \xe2\x80\xa2   disclose related nonaudit service to peer reviewers, and make available the project\n       documentation required.\n\n\nProfessional Judgment\nFailure to Exercise Sufficient Professional Judgment\nGAGAS 3.31 states that auditors must use professional judgment in planning and performing\naudits and in reporting the results. GAGAS 3.35 states that using professional judgment in all\naspects of carrying out their professional responsibilities, including following the independence\nstandards and maintaining appropriate quality control over the assignment process is essential to\nperforming and reporting on an audit. In addition to the noncompliances in planning, performing\nand reporting in each of the four audits reviewed, we also found noncompliances in 3 of the 4\naudits in the independence standards area and in each of the 4 audits in the quality control\nstandards area. The Audit Handbook states that all auditors are responsible for complying with\nGAGAS while carrying out their audit work and must justify any departures from GAGAS. We\ndetermined that the DISA IG audit organization did not exercise professional judgment due to\nthe array of noncompliances found in the majority of auditing standards areas including quality\ncontrol and assurance, supervision, evidence, documentation, reporting, independence, planning,\nand the use and application of GAGAS. The GAGAS areas where the audit organization lacked\nprofessional judgment are included in the table below and discussed in detail throughout this\nreport.\n\n\n\n\n                                               8\n\x0c   DISA IG Audit Organization\xe2\x80\x99s Noncompliances with GAGAS and System of Quality\n                                     Control\n    Audits       Independence    Quality    Planning    Performing:       Performing:    Reporting\n   Reviewed                      Control                   Audit          Supervision\n  (By Report                                            Evidence and\n   Number)                                             Documentation\n2011-02,\nCompliance\nwith\nRequirements\nfor Item\nUnique                X             X          X              X                X             X\nIdentification\n(IUID)\nClauses in\nSupply\nContracts\n2011-01,\nOperational\nSupport               X             X          X                               X             X\nSystems\nIssues\n2009-06,\nTravel\nVouchers                            X          X              X                              X\nThrough\nDTS\n2009-01,\nIncoming\n                      X             X          X                                             X\nMIPRs at\nDITCO Scott\n\n\nThe table above depicts both significant deficiencies and deficiencies in multiple standards areas\nwhich evidences a lack of professional judgment as defined in GAGAS 3.31 and 3.35. While the\nsignificant deficiencies associated with the DISA IG audit organization\'s noncompliance with its\nsystem of quality control serve as the basis for the fail opinion, this table also includes\nnoncompliances discussed in Appendix C to capture the lack of professional judgment in all\naspects related to the professional responsibilities of DISA auditors. We evaluated professional\njudgment across the four audit projects reviewed, and the deficiencies coupled with the lack of\nan adequate quality assurance program and issues related to nonaudit services from an\nindependence and reporting perspective.\n\n\n\n\n                                                9\n\x0cSupervision\nThere was No Evidence of Initial or Final Supervisory Reviews of\nWorkpapers that Supported Findings and Conclusions\nFor one of the four projects reviewed, we determined that several GAGAS and Audit\nHandbook requirements pertaining to supervision were not followed because there was no\nevidence of initial or final supervisory reviews of the audit work performed during the\nfieldwork phase. For the \xe2\x80\x9cAudit of DISA Compliance with Requirements for IUID Clauses in\nSupply Contracts,\xe2\x80\x9d Report No. 2011-02, there was no evidence of initial supervisory reviews\nfor the workpapers prepared to support the first audit finding and conclusions contained in the\naudit report and no evidence of final supervisory reviews for the workpapers prepared to\nsupport the second audit finding and conclusions contained in the audit report.\n\nGAGAS 7.52 states that audit supervisors or those designated to supervise auditors must\nproperly supervise audit staff and GAGAS 7.80c states that auditors should document evidence\nof supervisory review, before the audit report is issued, of the work performed that supports\nfindings, conclusions, and recommendations contained in the audit report. Further, GAGAS 7.79\nstates that the process of preparing and reviewing audit documentation contributes to the quality\nof an audit. Audit documentation serves to: (1) provide the principal support for the auditors\xe2\x80\x99\nreport; (2) aid auditors in conducting and supervising the audit; and (3) allow for the review of\naudit quality. In addition to GAGAS, the Audit Handbook states the first and primary element\nfor ensuring the quality of audits is supervisory review of the project documentation and\nsupervisory review should be evident throughout the audit phase. The Audit Handbook also\nstates that supervisory signatures or initials on documentation, throughout the audit, will be\nconsidered sufficient documentary evidence meeting the supervision fieldwork standard.\n\nWe found no evidence of any supervisory reviews for the 50 workpapers that detailed the audit\nteam\xe2\x80\x99s analysis of the 50 sample items tested for the first finding. Also, for the second finding,\nof the 29 analysis and summary workpapers prepared to support the testing of all 318 sample\nitems, there was no evidence of final supervisory reviews. We found that after their initial\nreviews, supervisors provided comments to the preparer of the workpapers, but there was no\nevidence that supervisors reviewed the workpapers again to determine whether the actions taken\nby the preparer were sufficient.\n\nFurthermore, supervisors did not complete the IRR process for the audit. During the IRR\nprocess for the draft report, it was noted by the reviewer that the majority of the workpapers were\nnot reviewed and signed by the supervisors. This IRR deficiency was never corrected and the\nsupervisors did not sign off on the IRR certification.\n\nAdditional Deficiency in Audit Supervision\nFor the Audit of Operational Support Systems Issues, we identified where a working paper\nsupporting the findings, conclusions, and recommendations did not include evidence of\nsupervisory review and approval prior to final report issuance. Specifically, there was no\ndocumentation of supervisory review for the summary workpaper that supported the second\n\n\n\n\n                                                10\n\x0cfinding. Overall, there was evidence of supervisory reviews throughout the audit, but this\ndeficiency was noted due to the significance of the workpaper to the audit report.\n\n\nAudit Evidence and Documentation\nAuditors Did Not Obtain Sufficient and Appropriate Audit Evidence\nFor the \xe2\x80\x9cAudit of DISA Compliance with Requirements for IUID Clauses in Supply Contracts,\xe2\x80\x9d\nReport No. 2011-02, the auditors did not obtain sufficient, appropriate evidence to provide a\nreasonable basis for their findings and conclusions. GAGAS 7.55 states auditors must obtain\nsufficient, appropriate evidence to provide a reasonable basis for their findings and conclusions,\nand GAGAS 7.56 states the concept of sufficient, appropriate evidence is integral to an audit.\nThe Audit Handbook states that the information and evidence assembled and the conclusion\ndeveloped must form a sound basis for the findings and recommendations and, therefore, must be\nsupported by sufficient, competent, and relevant evidence. Also, the Audit Handbook states a\nrecord of the evidence should be in the form of project documentation.\n\nFor the IUID audit, 93 percent of the testing results for the second finding were not supported by\nsufficient and appropriate documentation. Specifically, of the 287 serial numbers/assets tested to\ndetermine whether they were registered in a database, 257 were found not to be registered, and\neven though database extracts were available for these exceptions, the audit team did not include\nthis information in the audit project file. 4 Also, there was no consistency pertaining to the\ndocumentation that was maintained as evidence. For example, of the 30 serial numbers/assets\nfound to be registered, 19 were supported by printouts from the database. In addition, in some\ninstances, the audit team used e-mails with handwritten notes as supporting documentation. 5\nThe auditors wrote \xe2\x80\x9cYes\xe2\x80\x9d and \xe2\x80\x9cNo\xe2\x80\x9d on the e-mails to state whether or not a serial number was\nregistered. GAGAS A7.02 (Appendix I) states that the strength and weakness of each form of\nevidence depends on the facts and circumstances associated with the evidence and professional\njudgment in the context of the audit objectives. Documentary evidence, such as database\nextracts, is a stronger form of evidence.\n\nDue to the absence of sufficient and appropriate audit evidence, we determined that the report\xe2\x80\x99s\nconclusions were not adequately supported. For future audits, DISA IG auditors should ensure\nthat in assessing evidence, they evaluate whether the evidence taken as a whole is sufficient and\nappropriate for addressing the audit objectives and supporting findings and conclusions.\n\n\n\n\n4\n    Database extracts stating "No Records Found" were available if serial numbers/assets were not registered.\n5\n    The e-mails were correspondences where the auditors requested and/or received the serial numbers.\n\n\n\n\n                                                           11\n\x0cReporting\nLetter Report Asserted a Nonaudit Service Was Conducted in\nAccordance with GAGAS\nThe DISA IG issued a Letter Report to discuss the results of a nonaudit service and included the\nunmodified GAGAS compliance statement in the report, which violated GAGAS 1.33. GAGAS\n1.33 states that auditors must not report that a nonaudit service was conducted in accordance\nwith GAGAS. Further, the Audit Handbook states that when the Assistant IG issues a report on\na nonaudit service, the report must clearly indicate that the work was not done according to\nGAGAS.\n\nThe Letter Report was issued for the Data Mining of DISA Government Travel Card Program\n(Project No. 2010-H-301) in August 2010. The project initially began as an audit, but senior\nmanagement decided to change the project to a review due to problems in correctly correlating\ndata used. According to the Assistant Inspector General for Auditing, DISA IG auditors found\nthe data received from a particular source to be unreliable because some information was missing\nfrom the database. Also, DISA IG auditors found causes for some of the omissions, but not all\nof them. Because using the particular database would result in false positives, DISA IG auditors\ndid not report any findings or recommendations.\n\nThe DISA IG Audit Handbook does not contain policies and procedures for issuing a Letter\nReport. This is the only instance where the DISA IG issued a Letter Report.\n\nRecommendation, Management Comments, and Our\nResponse\n\nRecommendation\nWe recommend that the Director, DISA:\n\n 3. Issue a memorandum to the recipient of the Letter Report: Data Mining of DISA\n    Government Travel Card Program (Project No. 2010-H-301), August 10, 2010, to\n    state that the nonaudit service provided was not performed in accordance with\n    GAGAS.\n\nManagement Comments\nThe Inspector General, DISA concurred. A memorandum to the recipient of the Letter Report:\nData Mining of DISA Government Travel Card Program (Project No. 2010-H-301),\nAugust 10, 2010 will be issued to state that the nonaudit service provided was not performed in\naccordance with GAGAS.\n\nOur Response\nThe management comments are responsive. When completed, we request the Inspector\nGeneral, DISA, to provide us with a copy of the memorandum that was issued.\n\n\n\n                                               12\n\x0cAppendix C. GAGAS Noncompliances\nWarranting Disclosure Due to Their Importance\nto the Quality Control System\nThe DISA IG audit organization\xe2\x80\x99s performance during the audits showed evidence of\nnoncompliance in five additional GAGAS areas pertaining to audit evidence and documentation,\nreporting, independence, planning, and quality control. These five areas of noncompliance were\nnot considered to be significant and did not affect the opinion rendered, but due to their relative\nimportance to the audit organization\xe2\x80\x99s system of quality control, they warrant disclosure.\nFor each of the five areas, the auditors did not:\n\n   \xe2\x80\xa2   audit evidence and documentation\n           o properly develop the elements of a finding;\n   \xe2\x80\xa2   reporting\n           o adequately present the elements of a finding, and\n           o adequately explain the audit\xe2\x80\x99s scope and methodology;\n   \xe2\x80\xa2   independence\n           o complete a Statement of Independence, and\n           o assess the independence of a specialist;\n   \xe2\x80\xa2   planning\n           o update audit programs to reflect changes,\n           o obtain an understanding of the qualifications of a specialist, and\n           o approve audit plans in accordance with procedures established in the quality\n               control system; and\n   \xe2\x80\xa2   quality control\n           o comply with independent reference review policies and procedures.\n\nAll Elements of a Finding Were Not Sufficiently Developed\nFor the Audit of Travel Vouchers Through the Defense Travel System, we identified a\ndeficiency where the audit evidence and documentation was not sufficient to address the audit\nobjectives and to support the findings and conclusions. Specifically, the auditors did not\nproperly develop the elements of a finding necessary to address the audit objectives.\n\nGAGAS 7.72 states auditors should plan and perform procedures to develop the elements of a\nfinding necessary to address the audit objectives, and a finding or set of findings is complete to\nthe extent that the audit objectives are addressed. The Audit Handbook states that during the\nfieldwork phase of a performance audit, the team should collect, analyze, interpret, and\ndocument the information and evidence needed to accomplish the audit objectives and to support\nthe audit results and conclusions.\n\nFor the Audit of Travel Vouchers through the Defense Travel System, a secondary objective was\nto determine whether vouchers had required supporting documents and expenses were supported\nby receipts when required. The audit team did not perform procedures to identify the reason or\nexplanation for a condition nor establish a clear, logical link to establish the impact or potential\n\n\n                                                13\n\x0cimpact of the difference between the situation that existed and the required or desired state. For\nexample, one of the conditions that existed was that travel vouchers (38 of 196 travel vouchers)\nwithin the travel system were missing required receipts; travelers sought payments totaling\napproximately $28,600 in travel expenses that were not substantiated. It was implied by the\nrecommendation in the audit report that the travel receipts were missing because they were not\nproperly uploaded into the system by the travelers. There was no evidence in the workpapers to\nindicate that DISA IG auditors evaluated whether travelers did not comply with the requirements\nfor uploading travel receipts, nor was it confirmed that travelers failed to properly upload the\ntravel receipts into the system. A root or underlying cause for the missing receipts was never\nsupported.\n\n\nReporting\nFindings in Audit Reports Were Inadequate\nDISA IG\xe2\x80\x99s audit reports were not presented with a clear and concise summarization of the audit\nfindings and conclusions. For three of the four projects we reviewed (the Audit of Operational\nSupport System Issues, the Audit of Travel Vouchers through DTS, and the Audit of Incoming\nMIPRs at DITCO Scott), the audit report contained findings which were not adequately\ndeveloped. GAGAS 8.14 states clearly developed findings assist management or oversight\nofficials of the audited entity in understanding the need for taking corrective action. The Audit\nHandbook states that the finding summary paragraphs should summarize the finding by\nhighlighting condition, cause, and effect; be concise; and give the reader a general understanding\nof the problem(s) and foreshadow the need for recommended action(s).\n\nFor the Audit of Operational Support Systems Issues, two of the three findings\xe2\x80\x99 elements were\nnot sufficiently developed. For example, there was no effect provided for Finding B; the audit\nteam did not describe the consequences of the actions taken, particularly when the results\nshowed variation from regulations. In Finding C, the condition was actually the cause and the\neffect was the condition. Specifically, the audit report stated the following:\n\n\n\n\n                                                14\n\x0c                        Finding C: Circumstances of Netcool Software Acquisition were\n                                   Wasteful\n\n               NS8 initiated a purchase request for Micromuse Netcool Software (Netcool\n               software) in September 2006, prior to completing the required architectural\n               design and implementing strategy (Condition). Thus, NS8 expended more than\n               three years of funds in unused licenses and maintenance fees, prior to installing\n               the Netcool software in June 2008 and making the software operational in\n               December 2009 (Effect). These conditions occurred because NS8 originally\n               sought to avoid losing $724,256 in procurement funds set to expire in FY 2006.\n               As a result, NS8 expended $3,684,129 for Netcool Software licenses and annual\n               maintenance fees for FY 2006 through FY 2009 for software that went unused\n               from its acquisition in FY 2007 to June 2008 (Effect). This purchase did not\n               provide the best value for the Government and precluded DISA from expending\n               these procurement funds on other validated requirements.\n\nFor the Audit of Travel Vouchers Through the Defense Travel System, one of the four findings\nwas not sufficiently developed. Specifically, the effect was not adequately stated in Finding\nThree. The audit report stated that because individuals were not able to provide copies of\ndocumentation detailing their job-related duties and responsibilities, they may not know how to\nproperly perform their duties. A more appropriate effect would have been that the individuals\nmay not know what duties they are to perform. Since the effect may be used to demonstrate the\nneed for corrective action in response to identified problems or relevant risks, auditors should\nensure that the effect is concise.\n\nFor the Audit of Incoming MIPRs at DITCO Scott, both of the finding summary paragraphs did\nnot include the causes and effects. While the causes and effects were sometimes identified in the\nfollowing discussion sections related to the findings, omission of the cause and effect in the\nfinding summary paragraphs did not meet Audit Handbook requirements. According to the\nRegional IG at DISA, the summary finding paragraphs for the audit report were prepared in\naccordance with guidance received from senior management in October 2008. Senior\nmanagement presented a new format as to how the summary finding paragraph should be\nconstructed, which did not include the cause and effect. Instead, the cause and effect were to be\nincluded in the sub-findings. The July 2007 version of the DISA IG Audit Handbook was never\nupdated to include this new guidance.\n\nThe Audit\xe2\x80\x99s Scope and Methodology Was Inadequately Explained\nThe DISA IG did not adequately explain the audit\xe2\x80\x99s scope and methodology in the audit report\nfor two of the four projects we reviewed. Specifically, the audit reports did not clearly explain:\n\n   \xe2\x80\xa2   the audit\xe2\x80\x99s scope, including the relationship between the population (universe) and the\n       items tested (sample size);\n   \xe2\x80\xa2   the audit\xe2\x80\x99s scope, including the kinds and sources of evidence used;\n   \xe2\x80\xa2   how the audit\xe2\x80\x99s methodology and completed audit work supports the audit objectives,\n       including the criteria used; and/or\n   \xe2\x80\xa2   how the audit\xe2\x80\x99s methodology and completed audit work support the audit objectives,\n       including when the sampling significantly supports the auditors\xe2\x80\x99 findings, conclusions, or\n       recommendations, a description of the sampling design and why it was chosen.\n\n\n\n                                                     15\n\x0cGAGAS 8.11 states that auditors should describe the scope of the work performed and any\nlimitations, including issues that would be relevant to likely users, so that they could reasonably\ninterpret the findings, conclusions, and recommendations in the report without being misled.\nThe Audit Handbook states that the report must address the objectives, scope, and methodology\nor approach used in conducting the audit. The scope and methodology used for achieving the\naudit objectives are usually included in Appendix A of the audit report. In addition, if sampling\nwas used, the team should describe the sample design and why it was chosen. The description\nshould include the size of the sample and the dollar value associated with it, if appropriate. They\nshould also fully discuss sampling plan and sample results, but avoid presenting complex\nstatistical analyses and formulas. Further, the Audit Handbook states GAGAS requires that the\nteam should explain the evidence gathering and analytical techniques in sufficient detail to allow\nknowledgeable users of their reports to understand how the auditors answered the audit\nobjective. Specific examples of the deficiencies in explaining the audit\xe2\x80\x99s scope and methodology\nare detailed in the table that follows.\n\n\n\n\n                                                16\n\x0c     Audit Project             Listing of Deficiencies in Explaining the Audit\xe2\x80\x99s Scope and\n                                                        Methodology\n Audit of Compliance              \xe2\x80\xa2 The specific number of contracts (20) used for the second\n with Requirements for                finding were not mentioned in Appendix A. Also, auditors\nIUID Clauses in Supply                did not clearly explain whether the 20 contracts were part\n Contracts (Project No.               of the 50 contracts used in the first finding.\n     2010-H-304)                  \xe2\x80\xa2 The Contracting Officer Representative/Task Monitor\n                                      database used to verify training requirements was not\n                                      identified in Appendix A as kinds and sources of evidence\n                                      used. A review of the database was completed as part of\n                                      Finding B. The auditors found that some of the\n                                      Contracting Officer Representatives/Task Monitors had not\n                                      completed mandatory training.\n                                  \xe2\x80\xa2 For the second finding, Appendix A did not describe the\n                                      sample designs or why they were chosen.\n    Audit of Travel               \xe2\x80\xa2 Appointment records and training documents obtained and\nVouchers Through the                  reviewed were not identified in Appendix A as kinds and\nDefense Travel System                 sources of evidence used. The review of these documents\n (Project No. 2009-H-                 was discussed in Finding Three. Specifically, the auditors\n          301)                        found that Authorizing Officials and Certifying Officials\n                                      did not maintain copies of appointment letters as required\n                                      by the DoD Financial Management Regulation. Also, the\n                                      Authorizing Officials and Certifying Officials did not\n                                      provide requested training documentation so that the\n                                      auditors could verify that training requirements, as\n                                      described in Public Law 104-106, were met.\n                                  \xe2\x80\xa2 Public Law 104-106 was not properly defined in the audit\n                                      report (Finding Three). This criteria should have been\n                                      defined and supported in the report itself, not referenced in\n                                      another criteria (Defense Travel Management Office Guide\n                                      [DTMO]). Public Law 104-106 is the overarching criteria\n                                      and the DTMO Guide implements it.\n\nIndependence\nAuditors and Specialist Did Not Certify their Independence\nFor two of the four audits we reviewed, two of the eight auditors assigned to the projects did not\ncomplete a Statement of Independence. Also, for one of the four audits, the audit team did not\nensure that a statistician completed a Statement of Independence. GAGAS 3.02 states that in all\nmatters relating to the audit work, the individual auditor must be free from personal, external,\nand organizational impairments to independence. GAGAS 3.05 states when auditors use the\nwork of a specialist, auditors should assess the specialist\xe2\x80\x99s ability to perform the work and report\nresults impartially as it relates to their relationship with the program or entity under audit. The\nAudit Handbook states that all employees, including technical experts assigned to audits must\ncertify their independence or impairment to independence for each project. Whether or not a\n\n\n                                                 17\n\x0cperson is directly charging time to a project, that person must certify their independence by\ncompleting the Statement of Independence.\n\nFor the Audit of Compliance with Requirements for IUID Clauses in Supply Contracts, one of\nthe five auditors assigned to the project did not complete a Statement of Independence. In\naddition, for the Audit of Operational Support Systems Issues, one of the three auditors assigned\nto the project did not complete a Statement of Independence. Also, for this audit, a supervisor\ndid not sign a team member\xe2\x80\x99s Statement of Independence as required by the Audit Handbook,\nwhich states that the next level supervisor (Project Leader or Assistant IG) reviews and signs the\nStatement of Independence. By signing the Statement of Independence, supervisors agree that it\nappears that no personal or external impairments to independence exist.\n\nFor the Audit of Incoming MIPRs at DITCO Scott, a statistician who the audit team collaborated\nwith did not complete a Statement of Independence. One of the factors that helped the auditors\nselect the sample that was used for the audit was the statistician\'s suggestions.\n\n\nPlanning\nDeficiencies in Audit Planning\nWe found that all four of the projects reviewed lacked compliance with GAGAS and Audit\nHandbook requirements for audit planning. The deficiencies in audit planning were caused by a\nlack of:\n\n   \xe2\x80\xa2   updating the audit program to reflect changes made to the plan during the audit;\n   \xe2\x80\xa2   obtaining an understanding of the qualifications of a specialist; and\n   \xe2\x80\xa2   approving audit plans in accordance with the procedures established in the quality control\n       system.\n\nAudit Plans Not Updated to Reflect Changes in Scope\nFor two of the four projects, the audit program was not modified to reflect a change in the audit\xe2\x80\x99s\nscope. GAGAS 7.06 states that auditors must adequately plan and document the planning of the\nwork necessary to address the audit objectives. Also, GAGAS 7.50 states auditors should update\nthe plan, as necessary, to reflect any significant changes to the plan made during the audit. In\naddition, the Audit Handbook states if changes in the scope of the audit occur as the audit\nproceeds, the audit program should be modified to reflect the changes.\n\nFor the Audit of Operational Support Systems Issues, the audit program was not modified as\nrequired by the Audit Handbook to reflect a change in the total number of contracts in the\nuniverse the audit team used to pull a judgmental sample. Initially, the universe contained 34\ncontracts valued at $25.1 million. However, the universe changed from 34 contracts to 33\ncontracts, which were valued at $24.9 million.\n\nFor the Audit of Travel Vouchers Through the Defense Travel System, the audit program was\nnot updated to reflect a change regarding whose (civilian versus military) travel vouchers the\naudit team would review. Management initially decided that only the travel documents of\n\n\n                                                18\n\x0ccivilian personnel would be reviewed, but it was later decided upon to review the travel\ndocuments of military personnel as well.\n\nQualifications of Specialist Not Assessed\nFor one of the four projects, the auditors did not assess the qualifications of an external specialist\nthat assisted in performing the audit. GAGAS 3.49 states that auditors who use the work of\nexternal specialists should assess the professional qualifications of such specialists and document\ntheir findings and conclusions. The Audit Handbook states auditors who use the work of\nspecialists should document that the specialists are qualified in their areas of specialization.\n\nOne of the factors that helped the auditors select the sample that was used for the Audit of\nIncoming MIPRs at DITCO Scott was a statistician\'s suggestions. The audit team sought\nconfirmation from the statistician regarding potential confidence levels, error rates, and sample\nsizes to be considered for the audit. An external specialist\xe2\x80\x99s qualifications should be assessed to\nverify their professional qualifications in their field of work.\n\nAudit Programs Not Approved in Accordance with Policies and Procedures\nFor two of the four projects, Audit of Compliance with Requirements for IUID Clauses in\nSupply Contracts and Audit of Operational Support Systems Issues, the audit program was not\napproved in accordance with the Audit Handbook. The Audit Handbook states the DISA IG\nmust approve the written audit program before the beginning of the audit verification phase by\nsigning off on the plan either electronically or hardcopy signature. Although there was\ndocumentation where the audit approach was discussed with senior management, there was no\nevidence of final approval of the audit plan because senior management did not sign off on the\nplan either electronically or hardcopy signature.\n\nAdditional Quality Control Policies and Procedures\nInputs to the quality control system at the DISA IG include independent reference reviews and\nthe use of project technical checklists, which should be applied to most projects. These measures\nhelp to ensure that products issued are accurate, complete, and logical, and provide reasonable\nassurance that the audit organization has adopted and is following applicable auditing standards,\nand has established and is following adequate audit policies and procedures.\n\nFor three of the four projects we reviewed, we identified several deficiencies related to the audit\norganization\xe2\x80\x99s independent report referencing process and use of project quality control\nchecklists-performance audits. The majority of the deficiencies revolved around the independent\nreference review process, which can have an adverse effect on the overall process.\n\nDeficiencies in the Independent Reference Review Process\nThe Audit Handbook provides policy and guidance for quality control independent referencing\nreviews of audits the AIGA conducts. It implements portions of GAGAS on professional\njudgment, quality control, and reporting. The Audit Handbook states that independent\nreferencing is an integral part of the audit quality control process that helps to ensure that the\ndraft and final reports are accurate and adequately supported by the audit documentation.\n\n\n\n\n                                                 19\n\x0cFor three of the four projects, we identified several instances where DISA IG auditors did not\ncomply with the DISA IG\xe2\x80\x99s IRR policies and procedures for performance audits. The following\ntable specifies the noncompliances that were identified.\n\n     Audit Project               Listing of Deficiencies Identified for the IRR Process\n Audit of Compliance         \xe2\x80\xa2   AIGA did not sign IRR certification for the draft report.\n with Requirements for       \xe2\x80\xa2   Performance Branch Chief/Project Leader did not sign the IRR\nIUID Clauses in Supply           certification prior to the issuance of the draft report. The\n Contracts (Project No.          Chief/Project Leader\'s electronic signature was affixed on\n     2010-H-304)                  June 9, 2011. The date of the draft report was\n                                  December 7, 2010.\n                             \xe2\x80\xa2   The independent reference reviewer did not note on the IRR\n                                 Sheet (draft report) that the audit program was not properly\n                                 completed, and signed by the Assistant IG and Project\n                                 Leader. In addition, the independent reference reviewer did\n                                 not verify that an approved written audit program existed.\n                             \xe2\x80\xa2   The Project Leader did not ensure that the underlying project\n                                 documentation supporting the report was reviewed before the\n                                 IRR began.\n Audit of Operational        \xe2\x80\xa2   The independent reference reviewer did not verify that an\nSupport Systems Issues           approved written audit program existed.\n (Project No. 2010-H-        \xe2\x80\xa2   The independent reference reviewer did not note that some of\n          303)                   the project documentation did not have evidence of\n                                 supervisory review.\n                             \xe2\x80\xa2   Project Leader did not ensure that the underlying project\n                                 documentation supporting the report was reviewed before the\n                                 IRR began.\n                             \xe2\x80\xa2   AIGA did not sign IRR certification for the draft report.\n                             \xe2\x80\xa2   AIGA and the Project Leader did not sign IRR certification for\n                                 the final report.\n                             \xe2\x80\xa2   The final report was not fully referenced. Specifically, the\n                                 cross-referenced final report did not contain the Management\n                                 Comments (the sections after each individual finding was\n                                 discussed).\n    Audit of Travel          \xe2\x80\xa2   The AIGA did not sign the IRR certification for the final\nVouchers Through the             report.\nDefense Travel System\n (Project No. 2009-H-\n          301)\n\nReference Reviews at the Regional Office\nDue to limited staff assigned to the regional office, the office did not conduct IRRs. The\nRegional IG supervised the audit work, performed reference reviews for the audit reports, and\nensured quality control on all projects.\n\n\n\n\n                                               20\n\x0cFor the one project we reviewed at the regional office, the Audit of Incoming MIPRs at DITCO\nScott, we identified areas within the reference review process that need improving to ensure that\naudit reports are fully supported. For example, we identified instances where references used to\nsupport the audit report lacked pertinent information and further explanations were required.\nAlthough these instances were noted, they did not make the audit report unreliable; an\nindependent evaluation of the completeness and accuracy of the evidence used to support the\nreport may have revealed the reference deficiencies we noted. Examples of the reference\ndeficiencies included:\n\n   \xe2\x80\xa2   summary workpaper (Purpose section) used to show analysis performed for both of the\n       audited entities only identified one entity, not both;\n   \xe2\x80\xa2   an example used to support a minor concern the auditors identified was not referenced;\n   \xe2\x80\xa2   numbers used in a table in the report were not found in the reference provided; and\n   \xe2\x80\xa2   a reference provided did not support the statement in the report.\n\nUse of Project Quality Control Checklists\nFor one of the four audits we reviewed, the Audit of Operational Support Systems Issues, the\nProject Quality Control Checklist was not signed by the Branch Chief. Supervisors and team\nleaders use the Project Quality Control Checklists throughout the course of audits as a reminder\nof GAGAS requirements for project planning, supervision, project documentation, and reporting.\nThe Audit Handbook states that at the conclusion of each project, the checklist is to be signed by\nthe Branch Chief and the Auditor-in-Charge. The Branch Chief\xe2\x80\x99s signature confirms that they\nhave completed the checklist and all requirements of the checklist have been met.\n\nRecommendations, Management Comments, and Our\nResponse\n\nRecommendations\nWe recommend that the Director, DISA:\n\n 4. Take action to improve the audit organization\xe2\x80\x99s understanding and compliance of the\n    following GAGAS standards: professional judgment, supervision, audit evidence,\n    audit documentation, reporting requirements, performing and reporting on nonaudit\n    services, independence, and planning.\n\nManagement Comments\nThe Inspector General, DISA concurred. In-house training will be provided in coordination with\nupdates to the Audit Handbook.\n\nOur Response\nThe management comments are responsive. We request the Inspector General, DISA, to provide\nus with a copy of the training syllabus and curriculum to ensure ourselves all standards covered\nby this recommendation are adequately addressed.\n\n\n\n                                               21\n\x0c 5. Reevaluate the audit organization\xe2\x80\x99s goal to complete audits within 180 days. While\n    we cannot definitively conclude that the 180-day timeframe resulted in the significant\n    deficiencies and additional deficiencies we identified, this timeframe may not be\n    reasonable and may have an effect on the audit organization\xe2\x80\x99s operations and ability\n    to comply with GAGAS.\n\nManagement Comments\nThe Inspector General, DISA concurred. The current goal of completing audits within 180 days\nwill be reevaluated.\n\nOur Response\nThe management comments are responsive. We request the Inspector General, DISA, to provide\nus with a copy of the evaluation plan for audit completion timeframes.\n\n\n 6. Ensure audit management incorporates guidance, such as the new format for\n    presenting summary finding paragraphs in audit reports, and any other audit and\n    reporting practices that have already been implemented, into the Audit Handbook.\n\nManagement Comments\nThe Inspector General, DISA concurred. Guidance from senior management will be\nincorporated in the next update to the Audit Handbook.\n\nOur Response\nThe management comments are responsive. When completed, we request the Inspector General,\nDISA, to provide us with a copy of the revised Audit Handbook.\n\n\n\n\n                                             22\n\x0cAppendix D. Summary of Interview Results\nRelating to DISA IG Audit Policies and GAGAS\nWe interviewed nine staff members of the DISA IG audit organization to determine their\nknowledge of DISA IG audit policies and GAGAS. The interviews consisted of questions\nrelated to the DISA IG audit policies and GAGAS, fieldwork standards, and reporting standards.\nA summary of the results of the responses received follows:\n\nAreas Pertaining to DISA IG Audit Division                 Responses to Questions\n      Policies and GAGAS Standards\n    1. Awareness of DISA IG Audit Policies      All staff were aware of the audit policies.\n\n     2. Compliance with GAGAS                   Most staff stated that their work complied with\n                                                GAGAS standards.\n     3. Independence                            Most staff did not encounter any external or\n                                                organizational independence impairments\n                                                when performing their work.\n\n                                                All staff stated that they did not perform any\n                                                nonaudit services that could impact\n                                                independence.\n     4. Competence                              Staff responses indicated that the competency\n                                                requirement was fulfilled.\n     5. Quality Control and Assurance           Depending on years of auditing experience\n                                                and length of employment at the DISA IG,\n                                                answers varied from extensive to minimal\n                                                understanding of quality control procedures.\n     6. Planning (Key Decisions)                Staff involved with audit planning documented\n                                                key planning decisions and communicated with\n                                                the client throughout the planning phase.\n     7. Planning (Fraud)                        Staff performed risk assessments for the audit\n                                                programs.\n     8. Supervision                             All staff stated that they received or provided\n                                                adequate supervision.\n     9. Audit Documentation                     Staff provided examples of processes\n                                                performed to ensure that audit reports are\n                                                properly supported.\n    10. Evidence                                Staff provided examples of actions to ensure\n                                                that audit evidence is supported in the final\n                                                report.\n    11. Reporting (Timeliness)                  The audit organization\xe2\x80\x99s goal is to complete\n                                                audits within 180 days.\n\n\n\n\n                                              23\n\x0cAppendix E. Scope and Methodology\nWe reviewed the adequacy of the DISA IG audit organization\xe2\x80\x99s compliance with their quality\ncontrol policies, procedures, and GAGAS. We reviewed three audits at DISA IG Headquarters\nand one audit at the Regional Office.\n\nWe reviewed the adequacy of the design of policies and procedures that the DISA IG audit\norganization established to provide reasonable assurance of compliance with GAGAS in the\nconduct of its audits and attestation engagements. The DISA IG Audit Handbook, July 2007\nversion, was the policy and guidance document that was reviewed.\n\nIn performing our review, we considered the requirements of quality control standards and other\nauditing standards contained in the 2007 Revision of GAGAS issued by the Comptroller General\nof the United States. GAGAS 3.56 states:\n\n              The audit organization should obtain an external peer review sufficient\n              in scope to provide a reasonable basis for determining whether, for the\n              period under review, the reviewed audit organization\xe2\x80\x99s system of\n              quality control was suitably designed and whether the audit\n              organization is complying with its quality control system in order to\n              provide the audit organization with reasonable assurance of conforming\n              with applicable professional standards.\n\nWe performed this review from March 2011 through October 2011 in accordance with standards\nand guidelines established in the March 2009 Council of the Inspectors General on Integrity and\nEfficiency \xe2\x80\x9cGuide for Conducting External Peer Reviews of Audit Organizations of the Federal\nOffices of Inspector General.\xe2\x80\x9d In performing this review, we assessed, reviewed, and evaluated:\n\n   \xe2\x80\xa2   the adequacy of the design of policies and procedures that the DISA IG audit\n       organization established to provide reasonable assurance of compliance with GAGAS in\n       the conduct of its audits and attestation engagements;\n   \xe2\x80\xa2   staff understanding of quality control policies and procedures;\n   \xe2\x80\xa2   independence documentation and records of continuing professional education to verify\n       the measures that enable the identification of independence impairments and maintenance\n       of professional competence;\n   \xe2\x80\xa2   independence safeguards for nonaudit services; and\n   \xe2\x80\xa2   four audit reports and related project documentation to determine whether established\n       policies, procedures, and applicable standards were followed.\n\nWe selected four reports from a universe of 14 reports issued by the DISA IG during FY 2009,\nFY 2010, and until March FY 2011. We tested the four projects for compliance with the DISA\nIG audit organization\xe2\x80\x99s system for quality control for audits and attestation engagements. Also,\nwe performed a minimal review of the project documentation for one additional project in which\na Letter Report was issued.\n\n\n\n\n                                                    24\n\x0cIn selecting the reports, we worked with the DISA IG audit organization to establish the universe\nof reports that were issued during the review period. We then selected reports that were\nrepresentative of the types of reviews completed. The DISA IG did not issue any financial audit\nreports during the review period.\n\nThe following table identifies the specific reports we reviewed at both audit offices. The \xe2\x80\x9cType\nof Review\xe2\x80\x9d column contains information that was determined by the report GAGAS compliance\nstatement and/or type of review described in the final report.\n\n      Audit Office                 Report Title, Number, Issue Date           Type of Review\n  DISA IG Headquarters           2011-02, \xe2\x80\x9cAudit of Compliance with            Performance\n                                 Requirements for Item Unique\n                                 Identification Clauses in Supply\n                                 Contracts,\xe2\x80\x9d February 3, 2011\n                                 2011-01, \xe2\x80\x9cAudit of Operational                Performance\n                                 Support Systems Issues,\xe2\x80\x9d December\n                                 17, 2010\n                                 2009-06, \xe2\x80\x9cAudit of Travel Vouchers            Performance\n                                 Through the Defense Travel System,\xe2\x80\x9d\n                                 August 25, 2009\n  DISA IG Regional Office        2009-01, \xe2\x80\x9cAudit of Incoming MIPRs at          Performance\n                                 DITCO Scott,\xe2\x80\x9d November 13, 2008\n\nLimitations of Review\nOur review would not necessarily disclose all weaknesses in the system of quality control or all\ninstances of noncompliance because we based our review on selective tests. There are inherent\nlimitations in considering the potential effectiveness of any quality control system. Departures\nfrom GAGAS can result from misunderstood instructions, mistakes in judgment, carelessness, or\nother human errors. Projecting any evaluation of a quality control system is subject to the risk\nthat one or more procedures may become inadequate because conditions may change or the\ndegree of compliance with procedures may deteriorate.\n\n\n\n\n                                               25\n\x0cDefense Information Systems Agency Comments\n\n\n\n\n                    26\n\x0c27\n\x0c28\n\x0c29\n\x0c\x0c'